Ransomware wars: MongoDB databases under siege

The dangers of unsecured connected devices were made all too clear in 2015 when the personal data of more than 3 million Hello Kitty clients, stored on an open MongoDB database, was leaked to the public. Today, companies continue to suffer from major data leaks caused by inadequate security, as seen in the Ghostshell affair.

Early 2017 has seen a strong increase in MongoDB attacks by hackers. According to a report published on 4 January by a security news website, data has been stolen from hundreds of open MongoDB databases, which were discovered in late December by security expert Victor Gevers.

In less than a week, the number of attacks has grown exponentially. Currently, there are upwards of 27,000 attacks per day on unprotected MongoDB databases, according to researcher Niall Merrigan. Clearly data sharing and “good” practices are still key to hacking activity.

Data extortion

The plan of attack adopted by hackers is as follows: hackers identify an unprotected database and export its content. They then wipe the database and post a ransom request:

mongo-database-ransomware

Ransom message mentioning 0wn3d@protonmail.com

Source: Victor Gevers on Twitter

The message is clear: if you want to see your data again, pay up. If you have not backed up your database, you are at the hackers’ mercy. As of 10 January 2017, around 15 hackers had been identified as using this kind of technique to extort money from the owners of unprotected MongoDB databases.

Furthermore, CybelAngel has observed that databases indexed on search engines such as Shodan are more likely to be targeted. At the time of writing, no ransom messages had been posted in the unprotected MongoDB databases we detected that were not indexed on Shodan (indexing generally occurs when connected devices with static IP addresses are exposed for a certain period of time). It is therefore likely that hackers are using these kinds of services to detect open databases.

Blackmail or fraud?

These attacks involve hackers exporting database content in order to hold it to ransom. However, the logs of recently hacked databases reveal a worrying new trend. Hackers appear to be targeting the same databases, overwriting earlier ransom messages, making it impossible to recover the original data. It is also possible that some hackers never export database content, simply wiping it completely.

kraken-email

  1. On 7 January at 2.25 p.m., a ransom message is posted by kraken@india.com in an unprotected database. Source: logs published on Pastebin

3lix1r-email

  1. Less than five hours later, a second hacker posts another message, deleting the previous one. This hacker does not have the data initially contained in the database. Source: logs published on Pastebin

A saturated market

Most of the hackers identified appear to have seized the opportunities offered by this malicious activity. This could lead to rivalries in what is fast becoming a saturated “market”. For instance, personal data for the hacker “0wn3d” mentioned above was anonymously posted on 9 January on the Pastebin text sharing website:

own3d-dox-1

Was this a good deed by an anonymous web Samaritan or an effective way of ousting a rival? It is hard to say. But – unfortunately for 0wn3d – the post also contained login information for his or her favourite websites:

own3d-dox-2

Homo homini lupus

 

The saturation of the open MongoDB market could be further accelerated by another factor. According to a Pastebin publication, Kraken is selling a tool that allows users to scan open MongoDB databases and post ransom messages:

kraken-sell-ransomware-mongodb

The Bitcoin wallet for the e-mail address kraken@india.com has recently been credited with 93 0.1 Bitcoin transactions, amounting to approximately €8,500.

Hackers and the IoT

The latest wave of attacks appears to confirm that hackers are focusing their efforts on connected devices, which have become more visible due to tools such as Shodan, and which can contain extremely valuable data.

A growing number of hackers are capitalising on the opportunities offered by these new devices and protocols, which are increasingly common but often inadequately protected.

Suggestions